#ISC2Congress: Interview: Derrick Butts, CIO, The Truth Initiative

Derrick Butts is the CIO and cybersecurity officer for The Truth Initiative, America’s largest public not-for-profit health organization that aims to inspire tobacco free lives.

At the (ISC)2 Congress in Austin Texas on September 26 2017, Eleanor Dallaway met Derrick Butts to find out about life as CIO of The Truth Initiative.

Butts, unusually, does the job of both the CIO and cybersecurity officer. He says that his background (including roles at Siemens, MCI/WorldCom and the Department of Defense-Navy) positions him well to do both.

He has a team of five people, and in his own words, his biggest task is to “look at the strategy of the organization’s three-year mission and enable it to achieve it.”

The nature of the organization makes it a definite target for attackers, said Butts. “Tobacco companies are not happy about our message and want to vocalize it. Some people get upset with our messaging and protest what we do. We have public facing websites that we don’t want to be interrupted.”

Despite not keeping any sensitive data or information that Butts and his team have to worry about, he reveals that they’ve had attacks in the past and he never loses sight of the fact that “we’re definitely a target.”

His tasks include increasing cybersecurity awareness, user training and endpoint protection. “I ask myself how we maintain our security posture, whilst creating new innovations to help our staff work smarter and not harder.” He is currently exploring how to gamify his cybersecurity awareness message, a concept that he believes will help get the message across.

I meet with [the C-Suite] monthly so that they know exactly what is going on, and they embrace the fact that I’m educating themDerrick Butts

Despite being a not-for-profit and therefore having limited funds, Butts has worked with the C-suite to school them on the need for funds to get the organization to the level in needs to be at. “I meet with them monthly so that they know exactly what is going on, and they embrace the fact that I’m educating them. They get it and have a good understanding which has allowed us to do pen-testing, vulnerability testing and more.”

Butts’ team consists of an IT director, network administrator and senior and junior support specialists. “I’ve mandated that they all get certs”, he said. When asked about millennials in the cybersecurity workforce, Butts answered: “We need to offer training, education and really embrace them. We need to meet them in the middle and ask what they can bring to the table.”

Butts got his CISSP in 2013 on his second attempt at attaining the cert. “It was a grueling experience and my lack of knowledge about governance tripped me up on my first attempt.”

He took his CISSP to “validate my experience as I’d been working with security and infrastructure for 15 years. I was also looking to give my business at the time more credibility. Some potential clients were demanding it.” In addition, Butts added that he wanted to be part of the (ISC)2 culture.

Are certs still as relevant in 2017 as they were in 2013? “It depends who you talk to,” said Butts. “In the Department of Defense credentials were really important for walking with classified systems. In the corporate world, it depends on clients and what they require.” For Butts though, his cert validates him as the competent security professional that he is.